CVE-2025-35060 is a cross-site scripting (XSS) vulnerability classified under CWE-79, affecting Newforma Project Center's Info Exchange (NIX) feature. The vulnerability specifically involves the 'Send a File Transfer' functionality, which permits authenticated remote users to upload SVG files. SVG files can embed JavaScript or other executable content, and due to insufficient input neutralization during web page generation, these scripts may be executed or rendered by web browsers, particularly when accessed via mobile user agents. This improper sanitization allows attackers to inject malicious scripts that can execute in the context of the victim's browser session, potentially leading to session hijacking, data theft, or unauthorized actions within the application. The vulnerability requires the attacker to be authenticated, and some user interaction is necessary to trigger the payload, such as viewing the malicious SVG file through the mobile interface. The CVSS 4.0 base score is 5.1, reflecting a medium severity level, with network attack vector, low attack complexity, no privileges required beyond authentication, and user interaction needed. No patches or known exploits are currently documented, but the risk remains significant due to the nature of XSS attacks and the sensitive project data managed by Newforma Project Center. The vulnerability affects all versions indicated as '0', suggesting either an unspecified or initial release version. The lack of patch links indicates that remediation may still be pending or in development. The vulnerability's impact is compounded by the use of mobile user agents, which may have different security controls or rendering behaviors compared to desktop browsers.

For European organizations, especially those in architecture, engineering, construction, and project management sectors that rely on Newforma Project Center, this vulnerability could lead to unauthorized access to sensitive project data, manipulation of project workflows, and compromise of user credentials. The XSS flaw can be exploited to execute malicious scripts that steal session tokens, redirect users to phishing sites, or perform unauthorized actions on behalf of authenticated users. This undermines confidentiality and integrity of project information and could disrupt availability if attackers inject disruptive scripts. Given the requirement for authentication and user interaction, the attack surface is somewhat limited but still significant in environments with multiple users and frequent file exchanges. The mobile-specific rendering aspect increases risk for users accessing the platform via smartphones or tablets, common in field operations. The vulnerability could also facilitate lateral movement within an organization's network if attackers leverage stolen credentials or session data. Regulatory compliance risks exist under GDPR if personal data is exposed or mishandled due to exploitation. Overall, the threat could damage organizational reputation, cause operational delays, and incur financial losses.

European organizations should implement the following specific mitigations: 1) Restrict or disable SVG file uploads within Newforma Project Center unless absolutely necessary; consider allowing only safer file formats. 2) Implement server-side sanitization of SVG files to remove or neutralize embedded scripts and potentially dangerous elements before storage or rendering. 3) Enforce strict Content Security Policies (CSP) on the web application to limit execution of inline scripts and restrict sources of executable content. 4) Monitor and audit file upload activities and user interactions for anomalous behavior indicative of exploitation attempts. 5) Educate users about the risks of interacting with untrusted files and encourage cautious behavior, especially on mobile devices. 6) Apply principle of least privilege for user accounts to minimize impact if credentials are compromised. 7) Engage with Newforma for timely patches or updates addressing this vulnerability and test them in controlled environments before deployment. 8) Use web application firewalls (WAF) with custom rules to detect and block malicious payloads in SVG uploads. 9) Regularly review and update mobile device security policies to ensure safe access to project management platforms. These measures, combined, will reduce the likelihood and impact of exploitation.